Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12OGdxLTVncnEtOTcyOM4AAu1-
mozjpeg DecompressScanlines::read_scanlines is Unsound
This issue and vector is similar to RUSTSEC-2020-0029 of rgb
crate which mozjpeg
depends on.
Affected versions of mozjpeg
crate allow creating instances of any type T
from bytes,
and do not correctly constrain T
to the types for which it is safe to do so.
Examples of safety violation possible for a type T
:
T
contains a reference type, and it constructs a pointer to an invalid, arbitrary memory address.T
requires a safety and/or validity invariant for its construction that may be violated.
The issue was fixed in 0.8.19 by using safer types and involving rgb
dependency bump.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OGdxLTVncnEtOTcyOM4AAu1-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago
Identifiers: GHSA-v8gq-5grq-9728
References:
- https://github.com/ImageOptim/mozjpeg-rust/issues/10
- https://rustsec.org/advisories/RUSTSEC-2020-0165.html
- https://github.com/advisories/GHSA-v8gq-5grq-9728
Blast Radius: 0.0
Affected Packages
cargo:mozjpeg
Dependent packages: 15Dependent repositories: 40
Downloads: 391,312 total
Affected Version Ranges: < 0.8.19
Fixed in: 0.8.19
All affected versions: 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.8, 0.8.9, 0.8.11, 0.8.13, 0.8.14, 0.8.15, 0.8.16, 0.8.17
All unaffected versions: 0.8.19, 0.8.20, 0.8.21, 0.8.22, 0.8.23, 0.8.24, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.10.0, 0.10.1, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10